This action configures authentication to a GKE cluster via a kubeconfig
file that can be used with kubectl
or other methods of interacting with the cluster.
Authentication is performed by generating a short-lived token (default behaviour) or via the GCP auth plugin present in kubectl
which uses the service account keyfile path in GOOGLE_APPLICATION_CREDENTIALS.
This action requires:
-
Google Cloud credentials that are authorized to view a GKE cluster. See the Authorization section below for more information.
steps:
- id: get-credentials
uses: google-github-actions/get-gke-credentials@main
with:
cluster_name: my-cluster
location: us-central1-a
credentials: ${{ secrets.gcp_credentials }}
# The KUBECONFIG env var is automatically exported and picked up by kubectl.
- id: get-pods
run: kubectl get pods
-
cluster_name
: (Required) Name of the cluster to get credentials for. -
location
: (Required) Location (Region/Zone) for the cluster. -
credentials
: (Optional) Service account key to use for authentication. This should be the JSON formatted private key which can be exported from the Cloud Console. The value can be raw or base64-encoded. Required if not using a thesetup-gcloud
action with exported credentials. -
project_id
: (Optional) Project ID where the cluster is deployed. If provided, this will override the project configured by gcloud. -
use_auth_provider
: (Optional) Flag to use GCP auth plugin in kubectl instead of a short lived token. Defaults to false. -
use_internal_ip
: (Optional) Flag to use the internal IP address of the cluster endpoint with private clusters. Defaults to false.
- Exports env var
KUBECONFIG
which is set to the generatedkubeconfig
file path.
There are a few ways to authenticate this action. A service account will be needed with at least the following roles:
- Kubernetes Engine Cluster Viewer (
roles/container.clusterViewer
):- Get and list access to GKE Clusters. `
You can provide Google Cloud Service Account JSON directly to the action
by specifying the credentials
input. First, create a GitHub
Secret that contains the JSON content, then import it into the
action:
- id: get-credentials
uses: google-github-actions/get-gke-credentials@main
with:
cluster_name: my-cluster
location: us-central1-a
credentials: ${{ secrets.gcp_credentials }}
If you are hosting your own runners, and those runners are on Google Cloud, you can leverage the Application Default Credentials of the instance. This will authenticate requests as the service account attached to the instance. This only works using a custom runner hosted on GCP.
- id: get-credentials
uses: google-github-actions/get-gke-credentials@main
with:
cluster_name: my-cluster
location: us-central1-a
The action will automatically detect and use the Application Default Credentials.